I have been asked to leave the company for having spotted serious security breaches

At the tail end of this post is my original post with regards to this
matter. Basically, I went and told my superiors that our network was
seriously exposed.

Today I had a meeting and, guess what, it was suggested that I find another
job. This is great, essentially having the dipshits at work side with a
completely ignorant person who knows nothing about security.

Guess what industry I work in? Education!

Thats right folks, education. Maybe the people who are in education need a
bit of it themselves.

And we wonder why our system is so screwed up!

Curious George

Dear Colleagues:

For the life of me I don't know why I have to ask this question since the
answer is so obvious, however, I need to have others tell me that I am not
completely insane.

I work at a place where we have a myriad of wireless access points and NO, I
am not writing from there at present.

NONE of the wireless access points has any form of security on them
whatsoever. No WEP, no CHAP. . . no nothing. Everything is open so you
could walk into our joint, grab an IP address and surf the web to your
heart's content.

Here is the problem. My boss insists that its "no big deal" and that since
the servers are on the inside and protected, we really don't have a thing to
worry about. Furthermore, my boss is under the impression that since we are
situated in a wide area, that nobody would be able to get into our network
because of this distance. Needless to say, my boss does not consider
somebody sneaking into a parking lot with a laptop, a good network card and
a directional bazooka antenna a possibility.

So here is what I have to explain to my boss' boss and, perhaps, the board
of directors. . . and here is where I can't help but laugh. I hope that I
will be able to keep a straight face come Monday when I have to explain
myself to people why its important.

Okay, so I know the analogies. For example, I understand that not having a
secure wireless network with many Waps and high gain transmission antennas
is the same as putting cables out to anybody within 'x' amount of yards with
a sign that says "free internet access", but since I am going to be asked
these obvious questions, just what type of damage could somebody do?

Yeah, I know about denial of service attacks, yeah I also know about
enumeration and password guessing, but considering that we have an SQL
server on the inside of our network (no, the sa account password is not
null) what are we talking about.

I can envision so many things. Like somebody just sitting there caputring
packets to get things like usernames, passwords and the like, but come on. .
.. what else could they do.

I have read my boss the riot act many times, but this is now going to go in
front of somebody over my boss' head, so, aside from giving them worst case
scenarios, end of the world analogies, etc., how else could people break in.

Creative responses are appreciated and will be rewarded with much praise.

I can't believe that I have to actually explain this to people, and this
entire thing would last about two seconds when it comes to talking with a
computer professional, but you see, my boss is under the impression that
they are a computer professional because they received a Master's degree in
Comp Sci back in the 80's. I know that this line of thinking is dangerous,
but I really want some creative answers to put my point across strongly, and
yet professionally.

Although I realize that this post will likely be the butt of many jokes
(which I will appreciate immensely) I never the less would appreciate a bit
of useful information in your responses.

I am going to have a serious drink now, and then bang my head against the
wall.

Advertisements

Rule number 1... Don't mess with the boss.
Make your findings known at the staff meeting. It's is his decision. You
sound like you were hounding him.
Rule number 2...You are not the boss.

"Curious George" <> wrote in message
news:5HCLd.2344$...
> Dear Colleagues:
>
> At the tail end of this post is my original post with regards to this
> matter. Basically, I went and told my superiors that our network was
> seriously exposed.
>
> Today I had a meeting and, guess what, it was suggested that I find
> another job. This is great, essentially having the dipshits at work side
> with a completely ignorant person who knows nothing about security.
>
> Guess what industry I work in? Education!
>
> Thats right folks, education. Maybe the people who are in education need
> a bit of it themselves.
>
> And we wonder why our system is so screwed up!
>
> Curious George
>
>
>
> Dear Colleagues:
>
> For the life of me I don't know why I have to ask this question since the
> answer is so obvious, however, I need to have others tell me that I am not
> completely insane.
>
> I work at a place where we have a myriad of wireless access points and NO,
> I
> am not writing from there at present.
>
> NONE of the wireless access points has any form of security on them
> whatsoever. No WEP, no CHAP. . . no nothing. Everything is open so you
> could walk into our joint, grab an IP address and surf the web to your
> heart's content.
>
> Here is the problem. My boss insists that its "no big deal" and that
> since
> the servers are on the inside and protected, we really don't have a thing
> to
> worry about. Furthermore, my boss is under the impression that since we
> are
> situated in a wide area, that nobody would be able to get into our network
> because of this distance. Needless to say, my boss does not consider
> somebody sneaking into a parking lot with a laptop, a good network card
> and
> a directional bazooka antenna a possibility.
>
> So here is what I have to explain to my boss' boss and, perhaps, the board
> of directors. . . and here is where I can't help but laugh. I hope that I
> will be able to keep a straight face come Monday when I have to explain
> myself to people why its important.
>
> Okay, so I know the analogies. For example, I understand that not having
> a
> secure wireless network with many Waps and high gain transmission antennas
> is the same as putting cables out to anybody within 'x' amount of yards
> with
> a sign that says "free internet access", but since I am going to be asked
> these obvious questions, just what type of damage could somebody do?
>
> Yeah, I know about denial of service attacks, yeah I also know about
> enumeration and password guessing, but considering that we have an SQL
> server on the inside of our network (no, the sa account password is not
> null) what are we talking about.
>
> I can envision so many things. Like somebody just sitting there caputring
> packets to get things like usernames, passwords and the like, but come on.
> .
> . what else could they do.
>
> I have read my boss the riot act many times, but this is now going to go
> in
> front of somebody over my boss' head, so, aside from giving them worst
> case
> scenarios, end of the world analogies, etc., how else could people break
> in.
>
> Creative responses are appreciated and will be rewarded with much praise.
>
> I can't believe that I have to actually explain this to people, and this
> entire thing would last about two seconds when it comes to talking with a
> computer professional, but you see, my boss is under the impression that
> they are a computer professional because they received a Master's degree
> in
> Comp Sci back in the 80's. I know that this line of thinking is
> dangerous,
> but I really want some creative answers to put my point across strongly,
> and
> yet professionally.
>
> Although I realize that this post will likely be the butt of many jokes
> (which I will appreciate immensely) I never the less would appreciate a
> bit
> of useful information in your responses.
>
> I am going to have a serious drink now, and then bang my head against the
> wall.
>
> Thanks in advance,
>
> CC
>

Advertisements

To some extent your boss is right. Having an open wireless is like having
an open plug in port in a public place. That is not necessarily very very
bad. Eg, if you firewall off the wireless network, they they have no less
difficulty getting into the corporate lan than they would have getting in
from Rimingi on the net. Of course often the company does not properly
firewall the wireless network, allowing potential attackers behind any
firewall. Also once they are on the net, if the company does not use point to point
encryption, the attacker can read off all of the traffic on the net,
opening company secrets .

However there is another issue. An attacker could use your network to
attack others, and the courts could well find your company partially
culpable for having an "attractive nuisance" without having erected the
requisite fences. (Like with swimming pools and kids drowning in them).
Of course the current legal situation is very murky, but I doubt that they
want to be the first to test it.

>"Curious George" <> wrote in message
>news:5HCLd.2344$...
>> Dear Colleagues:
>>
>> At the tail end of this post is my original post with regards to this
>> matter. Basically, I went and told my superiors that our network was
>> seriously exposed.
>>
>> Today I had a meeting and, guess what, it was suggested that I find
>> another job. This is great, essentially having the dipshits at work side
>> with a completely ignorant person who knows nothing about security.
>>
>> Guess what industry I work in? Education!
>>
>> Thats right folks, education. Maybe the people who are in education need
>> a bit of it themselves.
>>
>> And we wonder why our system is so screwed up!
>>
>> Curious George
>>
>>
>>
>> Dear Colleagues:
>>
>> For the life of me I don't know why I have to ask this question since the
>> answer is so obvious, however, I need to have others tell me that I am not
>> completely insane.
>>
>> I work at a place where we have a myriad of wireless access points and NO,
>> I
>> am not writing from there at present.
>>
>> NONE of the wireless access points has any form of security on them
>> whatsoever. No WEP, no CHAP. . . no nothing. Everything is open so you
>> could walk into our joint, grab an IP address and surf the web to your
>> heart's content.
>>
>> Here is the problem. My boss insists that its "no big deal" and that
>> since
>> the servers are on the inside and protected, we really don't have a thing
>> to
>> worry about. Furthermore, my boss is under the impression that since we
>> are
>> situated in a wide area, that nobody would be able to get into our network
>> because of this distance. Needless to say, my boss does not consider
>> somebody sneaking into a parking lot with a laptop, a good network card
>> and
>> a directional bazooka antenna a possibility.
>>
>> So here is what I have to explain to my boss' boss and, perhaps, the board
>> of directors. . . and here is where I can't help but laugh. I hope that I
>> will be able to keep a straight face come Monday when I have to explain
>> myself to people why its important.
>>
>> Okay, so I know the analogies. For example, I understand that not having
>> a
>> secure wireless network with many Waps and high gain transmission antennas
>> is the same as putting cables out to anybody within 'x' amount of yards
>> with
>> a sign that says "free internet access", but since I am going to be asked
>> these obvious questions, just what type of damage could somebody do?
>>
>> Yeah, I know about denial of service attacks, yeah I also know about
>> enumeration and password guessing, but considering that we have an SQL
>> server on the inside of our network (no, the sa account password is not
>> null) what are we talking about.
>>
>> I can envision so many things. Like somebody just sitting there caputring
>> packets to get things like usernames, passwords and the like, but come on.
>> .
>> . what else could they do.
>>
>> I have read my boss the riot act many times, but this is now going to go
>> in
>> front of somebody over my boss' head, so, aside from giving them worst
>> case
>> scenarios, end of the world analogies, etc., how else could people break
>> in.
>>
>> Creative responses are appreciated and will be rewarded with much praise.
>>
>> I can't believe that I have to actually explain this to people, and this
>> entire thing would last about two seconds when it comes to talking with a
>> computer professional, but you see, my boss is under the impression that
>> they are a computer professional because they received a Master's degree
>> in
>> Comp Sci back in the 80's. I know that this line of thinking is
>> dangerous,
>> but I really want some creative answers to put my point across strongly,
>> and
>> yet professionally.
>>
>> Although I realize that this post will likely be the butt of many jokes
>> (which I will appreciate immensely) I never the less would appreciate a
>> bit
>> of useful information in your responses.
>>
>> I am going to have a serious drink now, and then bang my head against the
>> wall.
>>
>> Thanks in advance,
>>
>> CC
>>

"Curious George" <> wrote:
>Dear Colleagues:
>
>At the tail end of this post is my original post with regards to this
>matter. Basically, I went and told my superiors that our network was
>seriously exposed.
>
>Today I had a meeting and, guess what, it was suggested that I find another
>job. This is great, essentially having the dipshits at work side with a
>completely ignorant person who knows nothing about security.
>
>Guess what industry I work in? Education!
>
>Thats right folks, education. Maybe the people who are in education need a
>bit of it themselves.
>
>And we wonder why our system is so screwed up!
>
>Curious George

Whoa!!! Wait just a minute!

Did you quit, or get fired? DO NOT QUIT! Make them fire you. I
would also suggest you actively search for other employment now. It
will take some time to get in the door of another job, but start now.
The main point is that you do not leave your current job...if they
want to fire you before you find a new job, that's their option. But,
it will leave you with the ability to receive unemployment
compensation while you're looking.

Celtic Leroy wrote:
> "Curious George" <> wrote:
>
>>Dear Colleagues:
>>
>>At the tail end of this post is my original post with regards to this
>>matter. Basically, I went and told my superiors that our network was
>>seriously exposed.
>>
>>Today I had a meeting and, guess what, it was suggested that I find
>>another
>>job. This is great, essentially having the dipshits at work side with a
>>completely ignorant person who knows nothing about security.
>>
>>Guess what industry I work in? Education!
>>
>>Thats right folks, education. Maybe the people who are in education need
>>a bit of it themselves.
>>
>>And we wonder why our system is so screwed up!
>>
>>Curious George
>
> Whoa!!! Wait just a minute!
>
> Did you quit, or get fired? DO NOT QUIT! Make them fire you. I
> would also suggest you actively search for other employment now. It
> will take some time to get in the door of another job, but start now.
> The main point is that you do not leave your current job...if they
> want to fire you before you find a new job, that's their option. But,
> it will leave you with the ability to receive unemployment
> compensation while you're looking.
>
> Good luck,

Also, document everything and send the information to the board of
directors. Unfortunately some companies/Institutions are more concerned
about covering up stuff than fixing it. Send the info out.

Re: I have been asked to leave the company for having spotted serioussecurity breaches

Celtic Leroy wrote:
>
> Did you quit, or get fired? DO NOT QUIT! Make them fire you. I
> would also suggest you actively search for other employment now. It
> will take some time to get in the door of another job, but start now.
> The main point is that you do not leave your current job...if they
> want to fire you before you find a new job, that's their option. But,
> it will leave you with the ability to receive unemployment
> compensation while you're looking.

Actually, in Washington State, unemployment insurance benefits are not
available to anyone who was "fired for cause".

"Gualtier Malde (Chuck)" <> writes:
>Celtic Leroy wrote:
>>
>> Did you quit, or get fired? DO NOT QUIT! Make them fire you. I
>> would also suggest you actively search for other employment now. It
>> will take some time to get in the door of another job, but start now.
>> The main point is that you do not leave your current job...if they
>> want to fire you before you find a new job, that's their option. But,
>> it will leave you with the ability to receive unemployment
>> compensation while you're looking.
>Actually, in Washington State, unemployment insurance benefits are not
>available to anyone who was "fired for cause".

On the other hand, "for cause" requires a degree of proof. you cannot
simply claim that the firing was for cause, since then all firings would be
for cause.

>On the other hand, "for cause" requires a degree of proof. you cannot
>simply claim that the firing was for cause, since then all firings would be
>for cause.
>
It sounds like you made somebody above you look bad and they want to
get rid of you.

Most companies want the easy way out. They will suggest that you
resign and they want you to resign because, indeed they do not have to
pay unemployment benefits, your severance pay, etc.

It is harder for them to fire you. They might want to avoid any
possibility of a lawsuit for "unjust termination". Even if you did
something seriously wrong, a lawsuit is embarrasing for a company.
They don't want to stir up other employees and they will have to come
up with proof either you were laid off for economic reasons or you
violated some rule or discriminated or harrassed a fellow employee,
etc. Plus, there are legal expenses on both sides if you sue and it
goes to trial (which in most of these cases, it almost never does).

Furthermore, if you work for a school district, you may have civil
service rights that further specify reasons for just and unjust
termination. No government agency, let alone a school district wants
to be involved in an expensive lawsuit over terminating an employee.

Basic advice - Don't leave voluntarily. Don't sign any papers that
say you did bad things. If the job is that valuable to you, start
looking for a good employment lawyer.

On Wed, 02 Feb 2005 18:40:13 GMT, (Beachcomber)
wrote:
>Basic advice - Don't leave voluntarily. Don't sign any papers that
>say you did bad things. If the job is that valuable to you, start
>looking for a good employment lawyer.

OTOH if you know about computer security and you are good at
what you do, move on to a better paid job where you are appreciated
and say " **** the bastards" what have you lost? a bad job.

On Wed, 02 Feb 2005 22:58:11 +0100, Jim Watt wrote:
> On Wed, 02 Feb 2005 18:40:13 GMT, (Beachcomber)
> wrote:
>
>>Basic advice - Don't leave voluntarily. Don't sign any papers that
>>say you did bad things. If the job is that valuable to you, start
>>looking for a good employment lawyer.
>
> OTOH if you know about computer security and you are good at
> what you do, move on to a better paid job where you are appreciated
> and say " **** the bastards" what have you lost? a bad job.
>
> Move out and move on.

Wonder why we've not seen a single post by the OP since that one about his
being removed? Could it have been a trolling?

On Wed, 02 Feb 2005 14:39:47 -0800, Michael J. Pelletier wrote:
> Leythos wrote:
>
>> On Wed, 02 Feb 2005 22:58:11 +0100, Jim Watt wrote:
>>
>>> On Wed, 02 Feb 2005 18:40:13 GMT, (Beachcomber)
>>> wrote:
>>>
>>>>Basic advice - Don't leave voluntarily. Don't sign any papers that
>>>>say you did bad things. If the job is that valuable to you, start
>>>>looking for a good employment lawyer.
>>>
>>> OTOH if you know about computer security and you are good at
>>> what you do, move on to a better paid job where you are appreciated
>>> and say " **** the bastards" what have you lost? a bad job.
>>>
>>> Move out and move on.
>>
>> Wonder why we've not seen a single post by the OP since that one about his
>> being removed? Could it have been a trolling?
>>
>
> Or he has been "escorted" out the door and is busy looking for
> employment....
>
> In ether case, I have done allot of consulting for the past couple of years
> and I am amazed at how sleazy people can become....

Yea, I've been doing work all over the country (US) and found many people
that won't listen when you tell them their network is fully exposed and
that a few hours with their firewall would fix it without any noticeable
impact on their business functions...

Leythos wrote:
> On Wed, 02 Feb 2005 22:58:11 +0100, Jim Watt wrote:
>
>> On Wed, 02 Feb 2005 18:40:13 GMT, (Beachcomber)
>> wrote:
>>
>>>Basic advice - Don't leave voluntarily. Don't sign any papers that
>>>say you did bad things. If the job is that valuable to you, start
>>>looking for a good employment lawyer.
>>
>> OTOH if you know about computer security and you are good at
>> what you do, move on to a better paid job where you are appreciated
>> and say " **** the bastards" what have you lost? a bad job.
>>
>> Move out and move on.
>
> Wonder why we've not seen a single post by the OP since that one about his
> being removed? Could it have been a trolling?
>

Or he has been "escorted" out the door and is busy looking for
employment....

In ether case, I have done allot of consulting for the past couple of years
and I am amazed at how sleazy people can become....

All of you have made your point. This is the Original Poster and I am not a
troll unless you catch me on a Friday night after a few drinks.

The advise given here is solid, good and very much appreciated.

Actually, I have not been asked to leave. . . its a subtle hint, but I
think thats where they are going. After all, it would look really, really
sleeeazy to the board of directors if their chief IT guy was escorted out or
asked to leave or something else because he brought up a major, major, major
security issue which, I must add, they have NOT addressed yet!

The memos are not flying, indeed, the issue is so silent you could hear a
mouse fart. I think I have made peace with my boss, rather, tolerating it.
Never the less, considering the nature of the information that is at stake
(e.g. children's record, to name but a few), I think that I am doing the
right thing.

On the other hand, this type of stuff is not something that schools like to
get out.

On a brighter note, I posted this and then called a buddy of mine who has
been in the IT field about as long as I have. A phone call later and I was
on the horn with a real headhunter - no, not the sleazy employment agency
troll type, but a bona fide headhunter.

In any event, I think that what is going to happen is that they are going to
try to make things work out and then, oh well, then the ball is in my court.

I think that this underscores that its time to move on to greener pastures.
Hey, because of this I have started toying with security utilities I had not
touched in about two years. Darn, this stuff has gotten really, really
sophisticated and. . . well, I have become rather paranoid about things. SO
guess what the first thing I did this AM was??? Yep, my password is now so
long and has so many characters in it that. . .

The short of it is that its really sad that these are the sort of people who
we entrust to oversee the administration of schools and handle our most
precious resource, our children. I think its not so much the teachers,
although there are plenty of bad ones I assure you, its the administration
of these schools that is at issue. The really good teachers, the
progressive ones who want to really make a difference and truly enage these
young minds with challenges are being squashed.

Enough rambles, I am boring the crap out of everyone.

Thank you so very, very much to all of you for having contributed to this
thread. My apologies to those of you whom I have pissed because of my
excessive cross posting and I hope that if we ever have the opportunity to
work together I can return the favor.

Curious George
"Leythos" <> wrote in message
news...
> On Wed, 02 Feb 2005 14:39:47 -0800, Michael J. Pelletier wrote:
>
>> Leythos wrote:
>>
>>> On Wed, 02 Feb 2005 22:58:11 +0100, Jim Watt wrote:
>>>
>>>> On Wed, 02 Feb 2005 18:40:13 GMT, (Beachcomber)
>>>> wrote:
>>>>
>>>>>Basic advice - Don't leave voluntarily. Don't sign any papers that
>>>>>say you did bad things. If the job is that valuable to you, start
>>>>>looking for a good employment lawyer.
>>>>
>>>> OTOH if you know about computer security and you are good at
>>>> what you do, move on to a better paid job where you are appreciated
>>>> and say " **** the bastards" what have you lost? a bad job.
>>>>
>>>> Move out and move on.
>>>
>>> Wonder why we've not seen a single post by the OP since that one about
>>> his
>>> being removed? Could it have been a trolling?
>>>
>>
>> Or he has been "escorted" out the door and is busy looking for
>> employment....
>>
>> In ether case, I have done allot of consulting for the past couple of
>> years
>> and I am amazed at how sleazy people can become....
>
> Yea, I've been doing work all over the country (US) and found many people
> that won't listen when you tell them their network is fully exposed and
> that a few hours with their firewall would fix it without any noticeable
> impact on their business functions...
>
> --
>
> remove 999 in order to email me
>

On Wed, 02 Feb 2005 18:39:00 -0500, Curious George wrote:
> Allright guys. . .
>
> All of you have made your point. This is the Original Poster and I am not a
> troll unless you catch me on a Friday night after a few drinks.

Good, I was hoping you were not a troll, this happened in a group once
before.
> The advise given here is solid, good and very much appreciated.
>
> Actually, I have not been asked to leave. . . its a subtle hint, but I
> think thats where they are going. After all, it would look really, really
> sleeeazy to the board of directors if their chief IT guy was escorted out or
> asked to leave or something else because he brought up a major, major, major
> security issue which, I must add, they have NOT addressed yet!

So, have you put together a plan on correcting the problem? Instead of
just alerting them to the situation and making it seem like it's been
blown out the window, if you were to present a sound plan to secure the
network with time-line estimates and resources they might accept it and
turn around their issue with you.
> The memos are not flying, indeed, the issue is so silent you could hear a
> mouse fart. I think I have made peace with my boss, rather, tolerating it.
> Never the less, considering the nature of the information that is at stake
> (e.g. children's record, to name but a few), I think that I am doing the
> right thing.

We did a job for a state's department of health, when I was asked about
Web security and portals I mentioned that they had public IP's on their
internal network and that I could access any machine with a public IP from
anywhere in the country... As it turned out they didn't understand the
firewall and had done and ANY rule inbound to the entire developers
segment of the network... They figured that since they ran Windows with
Novel as the network that there were no problems

I asked the departments supervisor if I could present a plan for securing
the network while still permitting developers to work without problem and
also a solution for remote access where needed. It took about 3 days to
document everything, but they bought the solution from us. It was
interesting to see the look of shock from the various department heads on
how open their network was and how easy it was to gain access to personal
information.

The funny part was that after it was secured another company came in and
sold them on the idea that if they had been using a PIX that it would
never have been a problem, and they bought it without asking about the
proposal from that company - spending all that money to replace something
they didn't understand with something they still didn't understand and was
harder to maintain
> On the other hand, this type of stuff is not something that schools like to
> get out.
>
> On a brighter note, I posted this and then called a buddy of mine who has
> been in the IT field about as long as I have. A phone call later and I was
> on the horn with a real headhunter - no, not the sleazy employment agency
> troll type, but a bona fide headhunter.

You should still present them with a plan on resolving the issue, it may
come back as a good reference and also could get you promoted if your plan
actually fixes the problems - sometimes people react from fear/shock, but
when you put the facts and solution on paper they get a little time to
settle down and realize the implications.
> In any event, I think that what is going to happen is that they are going to
> try to make things work out and then, oh well, then the ball is in my court.
>
> I think that this underscores that its time to move on to greener pastures.
> Hey, because of this I have started toying with security utilities I had not
> touched in about two years. Darn, this stuff has gotten really, really
> sophisticated and. . . well, I have become rather paranoid about things. SO
> guess what the first thing I did this AM was??? Yep, my password is now so
> long and has so many characters in it that. . .

You do understand that your password length means nothing of anyone else
has admin rights?
> The short of it is that its really sad that these are the sort of people who
> we entrust to oversee the administration of schools and handle our most
> precious resource, our children. I think its not so much the teachers,
> although there are plenty of bad ones I assure you, its the administration
> of these schools that is at issue. The really good teachers, the
> progressive ones who want to really make a difference and truly enage these
> young minds with challenges are being squashed.
>
> Enough rambles, I am boring the crap out of everyone.
>
> Thank you so very, very much to all of you for having contributed to this
> thread. My apologies to those of you whom I have pissed because of my
> excessive cross posting and I hope that if we ever have the opportunity to
> work together I can return the favor.

Curious George wrote:
> Allright guys. . .
>
> All of you have made your point. This is the Original Poster and I am not
> a troll unless you catch me on a Friday night after a few drinks.
>
> The advise given here is solid, good and very much appreciated.
>
> Actually, I have not been asked to leave. . . its a subtle hint, but I
> think thats where they are going. After all, it would look really, really
> sleeeazy to the board of directors if their chief IT guy was escorted out
> or asked to leave or something else because he brought up a major, major,
> major security issue which, I must add, they have NOT addressed yet!
>
> The memos are not flying, indeed, the issue is so silent you could hear a
> mouse fart. I think I have made peace with my boss, rather, tolerating
> it. Never the less, considering the nature of the information that is at
> stake (e.g. children's record, to name but a few), I think that I am doing
> the right thing.
>
> On the other hand, this type of stuff is not something that schools like
> to get out.
>
> On a brighter note, I posted this and then called a buddy of mine who has
> been in the IT field about as long as I have. A phone call later and I
> was on the horn with a real headhunter - no, not the sleazy employment
> agency troll type, but a bona fide headhunter.
>
> In any event, I think that what is going to happen is that they are going
> to try to make things work out and then, oh well, then the ball is in my
> court.
>
> I think that this underscores that its time to move on to greener
> pastures. Hey, because of this I have started toying with security
> utilities I had not
> touched in about two years. Darn, this stuff has gotten really, really
> sophisticated and. . . well, I have become rather paranoid about things.
> SO guess what the first thing I did this AM was??? Yep, my password is now
> so long and has so many characters in it that. . .
>
> The short of it is that its really sad that these are the sort of people
> who we entrust to oversee the administration of schools and handle our
> most
> precious resource, our children. I think its not so much the teachers,
> although there are plenty of bad ones I assure you, its the administration
> of these schools that is at issue. The really good teachers, the
> progressive ones who want to really make a difference and truly enage
> these young minds with challenges are being squashed.
>
> Enough rambles, I am boring the crap out of everyone.
>
> Thank you so very, very much to all of you for having contributed to this
> thread. My apologies to those of you whom I have pissed because of my
> excessive cross posting and I hope that if we ever have the opportunity to
> work together I can return the favor.
>
> Curious George
> "Leythos" <> wrote in message
> news...
>> On Wed, 02 Feb 2005 14:39:47 -0800, Michael J. Pelletier wrote:
>>
>>> Leythos wrote:
>>>
>>>> On Wed, 02 Feb 2005 22:58:11 +0100, Jim Watt wrote:
>>>>
>>>>> On Wed, 02 Feb 2005 18:40:13 GMT, (Beachcomber)
>>>>> wrote:
>>>>>
>>>>>>Basic advice - Don't leave voluntarily. Don't sign any papers that
>>>>>>say you did bad things. If the job is that valuable to you, start
>>>>>>looking for a good employment lawyer.
>>>>>
>>>>> OTOH if you know about computer security and you are good at
>>>>> what you do, move on to a better paid job where you are appreciated
>>>>> and say " **** the bastards" what have you lost? a bad job.
>>>>>
>>>>> Move out and move on.
>>>>
>>>> Wonder why we've not seen a single post by the OP since that one about
>>>> his
>>>> being removed? Could it have been a trolling?
>>>>
>>>
>>> Or he has been "escorted" out the door and is busy looking for
>>> employment....
>>>
>>> In ether case, I have done allot of consulting for the past couple of
>>> years
>>> and I am amazed at how sleazy people can become....
>>
>> Yea, I've been doing work all over the country (US) and found many people
>> that won't listen when you tell them their network is fully exposed and
>> that a few hours with their firewall would fix it without any noticeable
>> impact on their business functions...
>>
>> --
>>
>> remove 999 in order to email me
>>

Unfortunately, George, the people that rise to the top of an organization
are more times than not sellouts. Those people that hide issues instead of
fixing them. Even worse, they are the type when something happens say "Why
did you not fix that". When you have been bringing up the issue for months!
Corporations have gotten really bad...well, I guess I am ranting and raving
too much....

Like I have said many times "Those that rise to the top of an organization
rise because they float. Remember shit floats!"

Take care, the IT biz in the US is really starting to pick up. You are in NY
right? I have some good contacts, in the NY area, if you are interested.
Email me if you are.

"Curious George" <> writes:
>Allright guys. . .
>All of you have made your point. This is the Original Poster and I am not a
>troll unless you catch me on a Friday night after a few drinks.

.....
>The short of it is that its really sad that these are the sort of people who
>we entrust to oversee the administration of schools and handle our most
>precious resource, our children. I think its not so much the teachers,
>although there are plenty of bad ones I assure you, its the administration
>of these schools that is at issue. The really good teachers, the
>progressive ones who want to really make a difference and truly enage these
>young minds with challenges are being squashed.

It has never been clear what the topology of your situation was.

Having this in the schools is in some ways more dangerous, since the
kids are going to try things out, and in fact you want them to try things
out-- that is how they learn. However it means that they may well
"innocently" do damage. (innocent in that they do not really know what the
consequences of their actions are.) Thus you really do want them in a
sandbox.
The problem is that in such a situation often the admin network stuff
(teacher's reports, children's files, etc) are not well protected from the
rest of the stuff the kids are supposed to be able to use. The teachers
want to be able to use the wireless to enter their grades, etc. and also
have the kids use it to connect and surf the net.

Do they really want the kids to be able to pull up their own or othr kid's
files and read them, or even alter them? Ie, you need a really strong
firewall between the admin stuff and the "play" stuff. And you want any
access of the admin stuff from the play or from outside to be encrypted.

> Good, I was hoping you were not a troll, this happened in a group once
> before.

No Troll here sir. . . nope, I wish.
> So, have you put together a plan on correcting the problem? Instead of
> just alerting them to the situation and making it seem like it's been
> blown out the window, if you were to present a sound plan to secure the
> network with time-line estimates and resources they might accept it and
> turn around their issue with you.

Actually, with the bitter taste I have in my mouth at this point, and were I
asked, I think that my answer would be something like "I think we should
bring in a firm that specializes in that sort of thing". If I were to
suggest it, then I would still have to deal with one person who "always"
knows more than me and things would get buggered up. . . Its so alien to
have to actually argue such an obvious point and if I were to suggest
something like separating things with VLANS (with the equipment we already
have). . . well, I would find myself having to argue these things in a very
uphill manner. The fact is that I know that there is a certain amount of
argument that goes with asking for any new improvement and I could see
having to explain things, but when it comes to something so rudimentary,
plus being second-guessed by people who know so, so much less than I do
(which is fine, so long as they admit it and trust in what I have so say) .
.. . well, maybe its time to just move on.
> We did a job for a state's department of health, when I was asked about
> Web security and portals I mentioned that they had public IP's on their
> internal network and that I could access any machine with a public IP from
> anywhere in the country... As it turned out they didn't understand the
> firewall and had done and ANY rule inbound to the entire developers
> segment of the network... They figured that since they ran Windows with
> Novel as the network that there were no problems
>
> I asked the departments supervisor if I could present a plan for securing
> the network while still permitting developers to work without problem and
> also a solution for remote access where needed. It took about 3 days to
> document everything, but they bought the solution from us. It was
> interesting to see the look of shock from the various department heads on
> how open their network was and how easy it was to gain access to personal
> information.
>
> The funny part was that after it was secured another company came in and
> sold them on the idea that if they had been using a PIX that it would
> never have been a problem, and they bought it without asking about the
> proposal from that company - spending all that money to replace something
> they didn't understand with something they still didn't understand and was
> harder to maintain

Oh I can relate to that, except that with me the uphill battle is so much
steeper and, well, even when somebody comes in who agrees with what I have
said, they still find ways to bury their heads in the sand - as if the
problem were going to go away by itself. I think that management, in
general, needs to start realizing that if they don't know something, they
have to realize that perhaps simply saying that they don't understand it and
then trusting the people they have is a good idea - then again, when it hits
the fan, they are very, very good at finding flowery excuses.
> You should still present them with a plan on resolving the issue, it may
> come back as a good reference and also could get you promoted if your plan
> actually fixes the problems - sometimes people react from fear/shock, but
> when you put the facts and solution on paper they get a little time to
> settle down and realize the implications.

Been there, done that. The silence is deafening. Promotions are not an
option here, and the only promotion I am likely to see is the one that I
give myself by leaving the organization because, God knows, when it hits the
fan because of something, they are going to try and point the fingers of
blame at anybody they can find and never accept the responsibility for their
failures. In the meantime, I have documented my findings rather splendidly
and this may have them scared.
>
> You do understand that your password length means nothing of anyone else
> has admin rights?

Yeah, and a good password cracker took about fifteen seconds to crack 75% of
their passwords, but if you mention this to people, the first thing out of
their mouth is that you are trying to "hack" into their system - now this
would seem rather retarded to anybody else, because you have domain admin
rights, but to them. . . whatever.
> Never pissed me off, I just wasn't sure if you were real or not.

>
> Take care, the IT biz in the US is really starting to pick up. You are in
> NY
> right? I have some good contacts, in the NY area, if you are interested.
> Email me if you are.
>
> Michael

Mike,

Thanks for the impromptu offer. Unfortunately I still have to be under the
surface for the time being. But dont worry, the resumes are flying I can
assure you and the butt is being covered. . . with a few layers of teflon
to say the least.

I cannot even begin to comment on that matter. Essentially, the topology is
this. . . we have each and every piece of hardware and software in place to
make our network totally what it should be. Its not a question about having
to go out and spend a lot of money. . . its a question of letting the IT
people do their jobs.
> Having this in the schools is in some ways more dangerous, since the
> kids are going to try things out, and in fact you want them to try things
> out-- that is how they learn. However it means that they may well
> "innocently" do damage. (innocent in that they do not really know what the
> consequences of their actions are.) Thus you really do want them in a
> sandbox.

Its not the kids. The kids are dead easy to get on board. Indeed, if you
take a few kids and tell them to help you check out your security, you would
have to put up gates. But that is not the case in schools - forget about
the fact that if you take a curious young mind that is having problems with
something like math and put them to work on complex algos or something of
the sort. . . doing that is akin to asking them to sell coke and people
would be fired. Actually, if you pick up a copy of 2600 you will see a
whole section dedicated to what some kids go through in schools. Hell, if a
kid found a security hole and it were up to me, I would pin a medal on him
or her. If its up to school administration, they would have the kid
expelled.
> Do they really want the kids to be able to pull up their own or othr kid's
> files and read them, or even alter them? Ie, you need a really strong
> firewall between the admin stuff and the "play" stuff. And you want any
> access of the admin stuff from the play or from outside to be encrypted.

Pipe dreams are all that is. Schools are full of so many people that want
to bury their heads in the sand and avoid any problems that they would
rather have everything exposed. Now they are not going to come out and say
it, but thats the way it is in schools. Encryption, ha ha ha. . . dont take
my word for it, get a laptop with a good wireless card and sit outside of a
school sometime with a few decent utilities. Hell, I once sat outside of my
kids school with a laptop for about four hours (the little darling told me
to pick him up at 230 but "neglected" to tell me he had a game to go to) and
was able to get so, so, so much information it was not even funny - mind
you, I had just picked up a few things here and there but with the free web
access I was getting I got a copy of a nifty utility whose name I dont
recall. The funny thing was that when I discreetly approached the head of
the technology departmet with this, he basically started admonishing me. As
gently as I could, I told him that he had better secure his network, but I
stopped just short of calling him an incompetent moron and has been who
could not cut it in the real world because I did not want my kid singled
out. Still, my little darlings and his bretherin had a lot of fun with him.
.. . hell, I heard that a kid almost got expelled because he installed the
blue screen of death screen saver on a workstation. . . hey, who is the
moron who sets up an XP Pro box and lets any user have the rights to install
a program in the first place??? Oh do NOT get me started, that is an entire
thread in and of itself.

I think that this problem is just a part of a greater problem, and that is
that our schools, in terms of technology, really suck. And its not just
about the money they have. . . its about the incompetence that they
tolerate. Those of you out there who have kids and want a good laugh, go
visit the school and ask the simplest of questions of some of these so
called technology teachers. My personal favorite was when I asked somebody
if they used the NTFS file system or FAT32. . . the guys answer was that he
used Netscape. . .

Re: I have been asked to leave the company for having spotted serioussecurity breaches

Bill Unruh wrote:
> "Curious George" <> writes:
>
>
>>Allright guys. . .
>
>
>>All of you have made your point. This is the Original Poster and I am not a
>>troll unless you catch me on a Friday night after a few drinks.
>
>
> .....
>
>
>>The short of it is that its really sad that these are the sort of people who
>>we entrust to oversee the administration of schools and handle our most
>>precious resource, our children. I think its not so much the teachers,
>>although there are plenty of bad ones I assure you, its the administration
>>of these schools that is at issue. The really good teachers, the
>>progressive ones who want to really make a difference and truly enage these
>>young minds with challenges are being squashed.
>
>
> It has never been clear what the topology of your situation was.
>
> Having this in the schools is in some ways more dangerous, since the
> kids are going to try things out, and in fact you want them to try things
> out-- that is how they learn. However it means that they may well
> "innocently" do damage. (innocent in that they do not really know what the
> consequences of their actions are.) Thus you really do want them in a
> sandbox.
> The problem is that in such a situation often the admin network stuff
> (teacher's reports, children's files, etc) are not well protected from the
> rest of the stuff the kids are supposed to be able to use. The teachers
> want to be able to use the wireless to enter their grades, etc. and also
> have the kids use it to connect and surf the net.
>
> Do they really want the kids to be able to pull up their own or othr kid's
> files and read them, or even alter them? Ie, you need a really strong
> firewall between the admin stuff and the "play" stuff. And you want any
> access of the admin stuff from the play or from outside to be encrypted.
>
>
>
SSSHH I need that A to graduate ;-) Of course the secretary has her
password written on the pullout of her desk.

Share This Page

Welcome to Velocity Reviews!

Welcome to the Velocity Reviews, the place to come for the latest tech news and reviews.

Please join our friendly community by clicking the button below - it only takes a few seconds and is totally free. You'll be able to chat with other enthusiasts and get tech help from other members.
Sign up now!